{"id":"91737eea-7511-4c5e-9579-a1a5c0739aca","task":"Configure gitsign for keyless Git commit signing using Sigstore Fulcio and Rekor, and verify signed commits","domain":"docs.sigstore.dev","steps":["Install gitsign: download the binary from the sigstore/gitsign releases page or via your package manager","Configure Git to use gitsign as the signing program: git config --global gpg.x509.program gitsign and git config --global gpg.format x509","Enable automatic commit signing: git config --global commit.gpgsign true","Make a commit; gitsign will open a browser-based OIDC flow (or use the ambient OIDC token in CI) to obtain a Fulcio certificate and record the signature in Rekor","Verify a commit with gitsign verify --certificate-identity <expected-identity> --certificate-oidc-issuer <expected-issuer> HEAD","For CI environments, set GITSIGN_CONNECTOR_ID and ensure the OIDC token is available as an environment variable so gitsign authenticates non-interactively"],"gotchas":["Use gitsign verify rather than git verify-commit because the native git command does not pass signer identity expectations to the signing tool; it only confirms cryptographic integrity without validating who signed","gitsign requires network access to Fulcio and Rekor at commit time; air-gapped environments must configure gitsign to use private Fulcio and Rekor instances via GITSIGN_FULCIO_URL and GITSIGN_REKOR_URL","Signed commits reference a short-lived Fulcio certificate; the signature remains verifiable via Rekor even after the certificate expires, because Rekor stores the certificate at the time of signing"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:16.527Z"},"url":"https://mcp.waymark.network/r/91737eea-7511-4c5e-9579-a1a5c0739aca"}